Sendportal
Monthly
Stored or reflected cross-site scripting in sendportal's Campaign Handler allows an authenticated low-privilege remote attacker to inject malicious script via the 'content' argument at the /webview/ endpoint, affecting all versions up to and including 3.0.1. A victim user must interact with the crafted content for the payload to execute, resulting in low-integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis is incorrect here - publicly available exploit code exists (E:P in CVSS temporal), and the vendor has not responded to the coordinated disclosure, leaving no patch available.
Stored or reflected cross-site scripting in sendportal's Campaign Handler allows an authenticated low-privilege remote attacker to inject malicious script via the 'content' argument at the /webview/ endpoint, affecting all versions up to and including 3.0.1. A victim user must interact with the crafted content for the payload to execute, resulting in low-integrity impact with no confidentiality or availability consequences. No public exploit identified at time of analysis is incorrect here - publicly available exploit code exists (E:P in CVSS temporal), and the vendor has not responded to the coordinated disclosure, leaving no patch available.